vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.

The flaw is disclosed by enterprise security firm Core Security Technologies. According to them, attackers exploiting the vulnerability could remotely execute code on a user's machine, as well as exploit Internet Explorer bugs.

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.

AOL has acknowledged the problem and is urging users to upgrade to the latest version of the AIM beta client. Alternatively, they can use its Web-based AIM Express service until a fix is ready.

About Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Full Bio

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.